Is it Possible to Encrypt All/Part of a values.yaml that you are feeding to a Helm Chart? #3136
-
We are coming from helmfile, https://github.com/roboll/helmfile#environment-secrets , which allows you to encrypt parts of the values that you are feeding into helm charts. I have not been able to quite figure this out in Flux. Any help in the right direction would be great. Thanks, |
Beta Was this translation helpful? Give feedback.
Replies: 6 comments 9 replies
-
You can use Docs: |
Beta Was this translation helpful? Give feedback.
-
Are there any working example of this? I have bounced around between slack and the documentation but havent been able to find and end-to-end working example. This was my last attempt: https://gist.github.com/jseiser/1131558bb121ca6ff099cf85cc0e3e85 The secret is created. The data is there. Its getting decrypted as well, because helm returns values.
Same output, but from my other cluster where this chart is deployed by Terraform.
|
Beta Was this translation helpful? Give feedback.
-
OK, I am still not able to find documentation on how to properly use 'secretGenerator'. The problem is def. that the secret does not get formatted correctly, but again, i have no idea how to get it formatted correctly using the secretGenerator. I was able to copy this: https://github.com/fluxcd/helm-controller/blob/main/config/testdata/valuesfrom/secret.yaml And encrypt the secret myself, using sops. Then pass THAT into the helmrelease and it works, but its less than ideal since when you update the secret, it does not trigger the helm release to update. |
Beta Was this translation helpful? Give feedback.
-
So i have been through that documentation, and we went through it in slack, and no one was able to actually get it to work. actual file
with a .sops.yaml that looks like this, which is what is covered in the flux sops documentation.
So making sops.yaml look like
The file gets all messed up.
Is there any end-to-end working example of Flux + secretGenerator ? Thanks. |
Beta Was this translation helpful? Give feedback.
-
Doing it that way, just encrypted part of the yaml.
|
Beta Was this translation helpful? Give feedback.
-
Sops encrypt the complete values.yaml file, which is definitely not needed, and only the part where the secrets are should be encrypted. I also understand It's hard to find which parts should be encrypted and which not but encrypting the complete file also does not feel right. |
Beta Was this translation helpful? Give feedback.
You can use
HelmRelease.spec.valuesFrom
and point helm-controller to a Kubernetes Secret that holds the secretvalues.yaml
. Then in Git, you'll encrypt the secret with SOPS. When kustomize-controller applies the HelmRelease and the Secret manifests, it will first decrypt the secret, then helm-controller will use it for setting the values.Docs: